Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help Locally
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
  1. Home
  2. News & Events
  3. Cybersecurity Directives
Share:

Directives

  • Guidance on Applying June Microsoft Patch Tuesday Update for CVE-2022-26925
Binding Operational Directives

Binding Operational Directive 15-01 (Revoked)

May 21, 2015

CRITICAL VULNERABILITY MITIGATION

This directive has been revoked. It is superseded by BOD 19-02.

This page contains a web-friendly version of the Department of Homeland Security’s Binding Operational Directive 15-01, “Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems”.

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

The Department of Homeland Security (DHS) develops and oversees the implementation of binding operational directives pursuant to the Federal Information Security Modernization Act of 2014.

Federal agencies are required to comply with DHS-developed directives.

DHS binding operational directives do not apply to statutorily defined “National Security Systems” nor to certain systems operated by the Department of Defense or the Intelligence Community. Id. § 3553(d)-(e).

Background

Increasing cybersecurity risks are forcing organizations to focus more attention on information security. By identifying and mitigating vulnerabilities in the information technology (IT) environment, organizations can reduce the risk of attackers penetrating their networks and stealing information.

In accordance with Office of Management and Budget (OMB) Memorandum 15-01: Fiscal Year 2014-2015 Guidance on Improving Federal Information Security and Privacy Management Practices, the Department’s National Cybersecurity and Communications Integration Center (NCCIC) conducts persistent network and vulnerability scans of Federal Civilian Executive Branch Departments and Agencies’ (“Department and Agency”) Internet-accessible systems to identify known vulnerabilities and configuration errors. As a result of this activity, reports are generated and delivered weekly, titled “Cyber Hygiene report”, tailored for each Department and Agency, to provide an enhanced understanding of the Department or Agencies’ cyber posture, and to promote a secure and resilient IT infrastructure. The weekly reports illustrate the vulnerabilities detected, identify the affected systems, and provide mitigation guidance. Often times, the vulnerabilities identified through these scans are rated “critical.”

Critical vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating of “ten” on a scale of one to ten are included in each weekly “Cyber Hygiene report.” CVSS is a vulnerability scoring system designed to provide a universally open and standardized method for rating IT vulnerabilities utilized by both government and private sector entities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability.

Critical vulnerabilities are typically remotely exploitable, have a low complexity to execute, utilize default or no authentication and impact confidentiality, integrity and availability. By their very nature, critical vulnerabilities detected through scanning are exposed to anyone with an Internet connection, are at imminent risk of exploitation by a malicious third party and should be immediately addressed.

The NCCIC has observed traffic targeting known vulnerabilities (e.g. Heartbleed) through the National Cybersecurity Protection System and recorded numerous incident reports across all critical infrastructure sectors where the root cause of compromise stemmed from outdated operating systems and applications (e.g. content management systems) and weak (to include instances of default) credentials. In addition, the NCCIC is aware that sophisticated advanced persistent threat actors have exploited several of these critical vulnerabilities in cyber incidents affecting Department and Agency networks, private sector, and state, local, tribal, and territorial entities.

In the future, the NCCIC scanning capability will benefit from the continued implementation of the Departments’ Continuous Diagnostics and Mitigation (CDM) solutions across the Department and Agencies’ IT infrastructure. This will allow for more robust information sharing of critical vulnerabilities (both Internet-exposed and internal) and assist the NCCIC in focusing Department and Agency assessments.

Required Actions

All Departments and Agencies shall review and mitigate the critical vulnerabilities on their Internet facing systems identified by the NCCIC within 30 days of issuance of their weekly “Cyber Hygiene report.” The timeliness of this mitigation is imperative given that all the vulnerabilities identified through a scan are Internet-accessible.

This Binding Operational Directive applies to all current and future critical vulnerabilities identified in the weekly “Cyber Hygiene report.” Department or Agencies that are unable to mitigate a vulnerability within thirty days will provide a detailed justification to DHS outlining any barriers, planned steps for resolution, and a timeframe for mitigation. DHS, through its Federal Network Resilience Division, will work directly with the Department or Agency to attempt to assist or address any constraints limiting expedited resolution of the vulnerability. (44 U.S.C. § 3553(b)(2)(C) & 3)

Progress Tracking

Beginning on the date of issuance of this Binding Operational Directive, all critical vulnerabilities identified on a Department or Agencies’ weekly “Cyber Hygiene report” must be mitigated within 30 days of the initial reporting of a critical vulnerability:

  • The NCCIC will leverage the weekly scans to track each Department and Agencies’ progress mitigating its critical vulnerabilities.

  • DHS will provide quarterly “Cyber Hygiene report” updates to OMB to ensure Department and Agency results are synchronized with OMB cybersecurity oversight initiatives.

  • Mitigated vulnerabilities will automatically be detected and removed from future reports.

  • Any vulnerability that cannot be mitigated within thirty days must be reported to DHS with a detailed justification explaining the constraints limiting expedited mitigation and the steps that the Department or Agency is implementing to progress toward mitigation.

  • Cybersecurity Best Practices

Related Directives

Oct 03, 2022

Binding Operational Directive 23-01 Implementation Guidance

Oct 03, 2022

Binding Operational Directive 23-01

Nov 03, 2021

Binding Operational Directive 22-01

Sep 02, 2020

Binding Operational Directive 20-01

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • The White House
  • USA.gov
  • Website Feedback